Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alan Cox wrote:
> On Maw, 2006-04-18 at 12:31 -0700, Crispin Cowan wrote:
>   
>> implements an approximation to the AppArmor security model, but does it
>> with domains and types instead of path names, imposing a substantial
>> cost in ease-of-use on the user.
>>     
> I don't think thats true. A file name is a pretty meaningless object in
> Unixspace let alone Linux after Al Plan9ified it somewhat.
Not quite; data contents and file names have *different* meanings.
Mediating the contents of the shadow file is good for preserving the
secrecy of the file. Mediating the contents of the thing named
/etc/hosts.allow has impact with respect to what answers to that name,
regardless of what happened to the previous contents.

SELinux has NSA legacy, and that is reflected in their inode design: it
is much better at protecting secrecy, which is the NSA's historic
mission. AppArmor has legacy in intrusion prevention, and so its primary
design goal was to prevent compromised programs from compromising the
host. Name-based access control is better at that, because it lets you
directly control which programs can change the contents of path names
that have critical semantic meaning in UNIX/Linux, such as /etc/shadow,
/etc/hosts.allow, /srv/www/htdocs/index.html and so forth.

>  It has an
> impact on policy design but if anything it makes it slightly harder for
> the policy design work and _easier_ for users, who no longer have to
> follow magic path rules.
>   
Try out AppArmor and see if you still believe that :)

> Can you answer the "when are you submitting it upstream" question ?
It is a small number of hours away. We are polishing our submission now.

>  I've
> certainly not got any fundamental objection to another security system.
> I doubt we'd all use it but we don't all use sys5 file systems or
> reiserfs either.
>   
I very much appreciate that. AppArmor is fundamentally different than
SELinux, in goals and in the resulting design, and we believe it is
important for users to be able to choose the system they want, both in
file systems and security systems.

Note: I'm assuming that LSM will not be removed while we are in the
process of being reviewed. I seem to recall it took SELinux six months
to go from initial submission to acceptance and I'm sure we will have to
fix issues and we don't have illusions that AppArmor will be accepted in
a matter of weeks.

We had actually planned to submit AppArmor next week, and this thread
has accelerated the submission by a few days.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux